Tech

Does Microsoft Help the NSA Hack Your Computer?

Earlier this month, a Bloomberg News investigative piece revealed that Microsoft, anti-virus software maker McAfee and numerous other American technology firms shared advance information about vulnerabilities in their software with the U.S. government.

Such knowledge, Bloomberg reported, could be weaponized, giving the United States a tool to break into the computer systems of adversaries — or of its own citizens.

But the reality may be less alarming. Microsoft and McAfee already share advance security information with various government agencies, which are clients like any other and need to be alerted of urgent security risks.

Microsoft, through its Microsoft Active Protections Program, also supplies dozens of anti-virus firms around the world, including McAfee, with advance information on software vulnerabilities. Any one of those firms could pass the information along to its national government.

In fact, when it comes to devising attacks using previously unknown software vulnerabilities — "zero-day exploits" in hacker lingo — intelligence agencies such as the National Security Agency and the Central Intelligence Agency don't need Microsoft or McAfee to tell them how.

Instead, the cyberwarriors and spies are better off doing it the old-fashioned way: buying the exploits from hackers.

Weapons Bazaar

Robert Graham, CEO and founder of Atlanta-based Errata Security, said that there's a relatively open and semi-legal market for zero-day exploits.

Security researchers, Graham explained, will discover a new vulnerability, write the code that makes it exploitable and shop it around to people they know in the field — including employees of government agencies.

"Zero-days are considered the weapons in a cyberwar scenario," said Mark Wuergler, senior security researcher at Immunity Inc. in Miami Beach. "It's the zero-days getting you in undetected to target resources in a way that target won't expect."

There's even a French company, VUPEN, that makes money finding zero-days and quietly selling them to governments. (VUPEN has told journalists it sells only to NATO members and allies.)

A really good zero-day exploit can fetch hundreds of thousands of dollars, Graham said. More common ones are much less than that.

Full disclosure

So what if an American company discovered a security flaw on its own? Would it have to ask the government whether it could disclose it publicly?

Probably not. The NSA, in particular, wouldn't tell a company like Microsoft or Verizon to hide a security flaw. If it turned out that a software firm deliberately concealed a known flaw, the act of omission might reveal more than the NSA would want other countries to know.

On top of that, ignoring flaws, disclosed or not, would mean that a company was not fixing problems. If that policy were exposed, it would give its customers reason to pursue an alternate vendor.

There have been questions recently, Wuergler said, about long time lags between when major Microsoft software vulnerabilities have been discovered and when they've finally been fixed.

Was Microsoft keeping the vulnerabilities open for the NSA? Wuergler said there's little hard evidence for that.

But is it really fair to give big corporations, security firms and U.S. government agencies advance warning of information that the public won't get for several more days?

Wuergler explains that it has to be that way.

When Microsoft releases a security patch through its regular patch cycle, usually on the second Tuesday of every month, it isn't uncommon for hackers to try to immediately exploit the newly disclosed vulnerabilities before all users and IT administrators install the patch.

For this reason, Wuergler said, the day after "Patch Tuesday" has acquired the nickname "Exploit Wednesday."

Giving larger Microsoft customers and partners — including government agencies — advance notification of the new security flaw helps those customers mitigate such blowback.

We Don't Just Do Windows

However, security experts worry about more than just PC software vulnerabilities.

There are also hardware and software security flaws in telecommunications equipment and in the industrial control systems (ICS's) that run factories and power plants. Both are vulnerable to hackers and occasionally have zero-day exploits.

The Stuxnet worm in 2010, most likely a U.S. intelligence project, damaged centrifuges used for purifying uranium in Iran. It carried at least one zero-day exploit for the centrifuge control systems, and possibly others for the centrifuges themselves.

That was in addition to four Windows zero-day exploits, which were targeted at the Iranian nuclear facility's main computer systems. Five zero-days — worth potentially millions of dollars — are more than any single piece of malware has carried before or since.

We may never learn how Stuxnet's creators found those zero-days. The exploits could have been bought on the open hacker market, could have been independently discovered by the malware's creators or could have been disclosed privately by the software vendor — or all three.

There's a real concern that was raised a very long time ago, that what happened with Stuxnet ... was never really communicated to industry," said Joe Weiss, managing partner at Applied Control Solutions, a consulting firm in the Bay Area, and the author of books about protecting industrial systems. "But the industrial-control world is a lot different from the IT world."

What's Hot

More in Tech

What's New

What's Rising

What's Hot

Mashable
is a leading global media company that informs, inspires and entertains the digital generation. Mashable is redefining storytelling by documenting and shaping the digital revolution in a new voice, new formats and cutting-edge technologies to a uniquely dedicated audience of 42 million monthly unique visitors and 24 million social followers.